Here's the 13th post highlighting key new features of the upcoming v257 release of systemd. #systemd257
Since a couple of releases ago, systemd-stub knows the "addon" feature. Addons are small UEFI PE binaries that have the structure of regular UEFI programs, but actually contain no code. You might wonder what they are good for then? Well, PE binaries can contain any kind of data, code is just one kind of data. And by making them follow PE structure they can also be cryptographically signed…
…just like any PE program. And that's good, because PE code signing is how UEFI SecureBoot works, after all. So with add-ons we can encode data blobs in a way that UEFI SecureBoot can authenticate them.
The original focus of the addon scheme was on providing an authenticated means to replace the kernel command line in UKI environments (v254). it was then extended to provide a mechanism to override the Devictree (v255). Now, with systemd v257 we are adding support for CPU microcode add-ons, …
… as well as general initrd add-on support.
Or in other words: there's now a really clean way to augment an OS vendor provided UKI with DT or µcode blobs specific to the local system, all fully authenticated and signed.
And that's all for today.
@pid_eins Thank you for writing these updates, I really enjoy reading them. Too often I learn something new and then fall down the rabbit hole 